Register Now


Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

Unable To Do Port Forwarding To Internal Web Server From Internal Network Through External IP

Here in this article we will discuss how to troubleshoot the issue when internal network clients are unable to access internal web server through port forwarding.

Suppose here is the configuration:

Internal web server:

Firewall External IP:

Internal Client:

Customer is trying to access internal web server ( through ( on port 3389. Now we will create DNAT and firewall rule for the same.

DNAT Rule:

Now we will understand how to create DNAT rule for accessing the internal web server through the firewall public IP address of the firewall

Login to sophos XG firewall and click on Rules and Policies and then click on new NAT rule. Please fill the NAT rule as follows:
Rule Name: Enter any name for the rule

Rule Position: Keep position of the rule as top.

Original Source: ANY

Original Destination: Keep it firewall public IP (

Original Service: Keep it RDP

Translated SNAT: Keep it MASQ

Translated DNAT: Keep it internal public server IP (

Translated Service: Keep it original if original port an translated port are same. If translated port is different from original port add translated port here.

Inbound Interface: Select ANY interface.

Outbound Interface: Select ANY interface.

Save the NAT rule.

NAT rule
NAT rule

Now we have created NAT rule, we need to create firewall to allow the NATed traffic.

Create Firewall Rule:

Now click on Rules and Policies and then click on Add Firewall Rule

Fill the firewall rule parameters as shown below:

Rule Name: Enter any name for rule

Rule Position: Keep it as top.

Rule Group: Keep it as None

Action: Accept

Source Zone: Keep it as LAN zone ((In case if you want to allow access from external network add WAN zone along with LAN zone)

Source Network And Devices: Keep it as ANY

Destination Zone: Add LAN zone since web server is present in LAN zone.

Destination Network: Firewall public IP ( IP)

Destination Service: Add both external and internal service.

firewall rule
Firewall Rule

Once you create the firewall rule save the firewall rule.

Now you can test it, it should work.

Hope this article helps you.